Subject:  RE:  Follow-up 

From:  "Villalobos,  Brian  C."  <BCVillal@lasd.org> 

Date:  6/20/18,  3:51  PM 

To:  "Gaw,  John  L."  <JLGaw@lasd.org> 

CC:  "Kearney,  Kevin"  <kkearney@cityofbradbury.org> 


John , 

Thank  you  for  all  of  your  help.  We  really  appreciate  it  and  will  be  in  touch  soon. 
-Brian 


From:  Gaw,  John  L. 

Sent:  Wednesday,  June  20,  2018  7:46  AM 
To:  Villalobos,  Brian  C.  <BCVillal(3lasd .  org> 

Cc:  Kearney,  Kevin  <kkearnevOcit vofbradburv.org> 
Subject:  Follow-up 


Brian , 


Here  is  a  copy  of  the  quote  for  your  records.  I  have  also  included  SB34  which  enacted  changes  to  the  Civil  Code  and 
addressed  sharing  or  providing  ALPR  data  to  other  (highlighted  and  in  red),  since  it  came  up  during  the  council  meeting. 


The  people  of  the  State  of  California  do  enact  as  follows: 


SECTION  1. 

Section  1798.29  of  the  Civil  Code  is  amended  to  read: 


1798.29. 

(a)  Any  agency  that  owns  or  licenses  computerized  data  that  includes  personal  information  shall  disclose  any  breach  of 
the  security  of  the  system  following  discovery  or  notification  of  the  breach  in  the  security  of  the  data  to  any  resident 
of  California  whose  unencrypted  personal  information  was,  or  is  reasonably  believed  to  have  been,  acquired  by  an 
unauthorized  person.  The  disclosure  shall  be  made  in  the  most  expedient  time  possible  and  without  unreasonable  delay, 
consistent  with  the  legitimate  needs  of  law  enforcement,  as  provided  in  subdivision  (c),  or  any  measures  necessary  to 
determine  the  scope  of  the  breach  and  restore  the  reasonable  integrity  of  the  data  system. 

(b)  Any  agency  that  maintains  computerized  data  that  includes  personal  information  that  the  agency  does  not  own  shall 
notify  the  owner  or  licensee  of  the  information  of  any  breach  of  the  security  of  the  data  immediately  following 
discovery,  if  the  personal  information  was,  or  is  reasonably  believed  to  have  been,  acquired  by  an  unauthorized  person. 

(c)  The  notification  required  by  this  section  may  be  delayed  if  a  law  enforcement  agency  determines  that  the 
notification  will  impede  a  criminal  investigation.  The  notification  required  by  this  section  shall  be  made  after  the  law 
enforcement  agency  determines  that  it  will  not  compromise  the  investigation. 

(d)  Any  agency  that  is  required  to  issue  a  security  breach  notification  pursuant  to  this  section  shall  meet  all  of  the 
following  requirements: 

(1)  The  security  breach  notification  shall  be  written  in  plain  language. 

(2)  The  security  breach  notification  shall  include,  at  a  minimum,  the  following  information: 

(A)  The  name  and  contact  information  of  the  reporting  agency  subject  to  this  section. 

(B)  A  list  of  the  types  of  personal  information  that  were  or  are  reasonably  believed  to  have  been  the  subject  of  a 
breach . 

(C)  If  the  information  is  possible  to  determine  at  the  time  the  notice  is  provided,  then  any  of  the  following:  (i)  the 
date  of  the  breach,  (ii)  the  estimated  date  of  the  breach,  or  (iii)  the  date  range  within  which  the  breach  occurred.  The 
notification  shall  also  include  the  date  of  the  notice. 

(D)  Whether  the  notification  was  delayed  as  a  result  of  a  law  enforcement  investigation,  if  that  information  is  possible 
to  determine  at  the  time  the  notice  is  provided. 

(E)  A  general  description  of  the  breach  incident,  if  that  information  is  possible  to  determine  at  the  time  the  notice  is 
provided . 

(F)  The  toll-free  telephone  numbers  and  addresses  of  the  major  credit  reporting  agencies,  if  the  breach  exposed  a  social 
security  number  or  a  driver's  license  or  California  identification  card  number. 


(3)  At  the  discretion  of  the  agency,  the  security  breach  notification  may  also  include  any  of  the  following: 

(A)  Information  about  what  the  agency  has  done  to  protect  individuals  whose  information  has  been  breached. 

(B)  Advice  on  steps  that  the  person  whose  information  has  been  breached  may  take  to  protect  himself  or  herself. 

(4)  In  the  case  of  a  breach  of  the  security  of  the  system  involving  personal  information  defined  in  paragraph  (2)  of 
subdivision  (g)  for  an  online  account,  and  no  other  personal  information  defined  in  paragraph  (1)  of  subdivision  (g), 
the  agency  may  comply  with  this  section  by  providing  the  security  breach  notification  in  electronic  or  other  form  that 
directs  the  person  whose  personal  information  has  been  breached  to  promptly  change  his  or  her  password  and  security 
question  or  answer,  as  applicable,  or  to  take  other  steps  appropriate  to  protect  the  online  account  with  the  agency  and 
all  other  online  accounts  for  which  the  person  uses  the  same  user  name  or  email  address  and  password  or  security 
question  or  answer. 

(5)  In  the  case  of  a  breach  of  the  security  of  the  system  involving  personal  information  defined  in  paragraph  (2)  of 
subdivision  (g)  for  login  credentials  of  an  email  account  furnished  by  the  agency,  the  agency  shall  not  comply  with  this 
section  by  providing  the  security  breach  notification  to  that  email  address,  but  may,  instead,  comply  with  this  section 
by  providing  notice  by  another  method  described  in  subdivision  (i)  or  by  clear  and  conspicuous  notice  delivered  to  the 
resident  online  when  the  resident  is  connected  to  the  online  account  from  an  Internet  Protocol  address  or  online 
location  from  which  the  agency  knows  the  resident  customarily  accesses  the  account. 

(e)  Any  agency  that  is  required  to  issue  a  security  breach  notification  pursuant  to  this  section  to  more  than  500 
California  residents  as  a  result  of  a  single  breach  of  the  security  system  shall  electronically  submit  a  single  sample 
copy  of  that  security  breach  notification,  excluding  any  personally  identifiable  information,  to  the  Attorney  General.  A 
single  sample  copy  of  a  security  breach  notification  shall  not  be  deemed  to  be  within  subdivision  (f)  of  Section  6254  of 
the  Government  Code. 

(f)  For  purposes  of  this  section,  "breach  of  the  security  of  the  system"  means  unauthorized  acquisition  of  computerized 
data  that  compromises  the  security,  confidentiality,  or  integrity  of  personal  information  maintained  by  the  agency.  Good 
faith  acquisition  of  personal  information  by  an  employee  or  agent  of  the  agency  for  the  purposes  of  the  agency  is  not  a 
breach  of  the  security  of  the  system,  provided  that  the  personal  information  is  not  used  or  subject  to  further 
unauthorized  disclosure. 

(g)  For  purposes  of  this  section,  "personal  information"  means  either  of  the  following: 

(1)  An  individual's  first  name  or  first  initial  and  last  name  in  combination  with  any  one  or  more  of  the  following  data 
elements,  when  either  the  name  or  the  data  elements  are  not  encrypted: 

(A)  Social  security  number. 

(B)  Driver's  license  number  or  California  identification  card  number. 

(C)  Account  number,  credit  or  debit  card  number,  in  combination  with  any  required  security  code,  access  code,  or 
password  that  would  permit  access  to  an  individual's  financial  account. 

(D)  Medical  information. 

(E)  Health  insurance  information. 

(F)  Information  or  data  collected  through  the  use  or  operation  of  an  automated  license  plate  recognition  system,  as 
defined  in  Section  1798.90.5. 

(2)  A  user  name  or  email  address,  in  combination  with  a  password  or  security  question  and  answer  that  would  permit 
access  to  an  online  account. 

(h)  (1)  For  purposes  of  this  section,  "personal  information"  does  not  include  publicly  available  information  that  is 
lawfully  made  available  to  the  general  public  from  federal,  state,  or  local  government  records. 

(2)  For  purposes  of  this  section,  "medical  information"  means  any  information  regarding  an  individual's  medical  history, 
mental  or  physical  condition,  or  medical  treatment  or  diagnosis  by  a  health  care  professional. 

(3)  For  purposes  of  this  section,  "health  insurance  information"  means  an  individual's  health  insurance  policy  number  or 
subscriber  identification  number,  any  unique  identifier  used  by  a  health  insurer  to  identify  the  individual,  or  any 
information  in  an  individual's  application  and  claims  history,  including  any  appeals  records. 

(i)  For  purposes  of  this  section,  "notice"  may  be  provided  by  one  of  the  following  methods: 

(1)  Written  notice. 

(2)  Electronic  notice,  if  the  notice  provided  is  consistent  with  the  provisions  regarding  electronic  records  and 

signatures  set  forth  in  Section  7001  of  Title  15  of  the  United  States  Code. 

(3)  Substitute  notice,  if  the  agency  demonstrates  that  the  cost  of  providing  notice  would  exceed  two  hundred  fifty 

thousand  dollars  ($250,000),  or  that  the  affected  class  of  subject  persons  to  be  notified  exceeds  500,000,  or  the  agency 

does  not  have  sufficient  contact  information.  Substitute  notice  shall  consist  of  all  of  the  following: 

(A)  Email  notice  when  the  agency  has  an  email  address  for  the  subject  persons. 

(B)  Conspicuous  posting  of  the  notice  on  the  agency's  Internet  Web  site  page,  if  the  agency  maintains  one. 

(C)  Notification  to  major  statewide  media  and  the  Office  of  Information  Security  within  the  Department  of  Technology. 

(j)  Notwithstanding  subdivision  (i),  an  agency  that  maintains  its  own  notification  procedures  as  part  of  an  information 
security  policy  for  the  treatment  of  personal  information  and  is  otherwise  consistent  with  the  timing  requirements  of 
this  part  shall  be  deemed  to  be  in  compliance  with  the  notification  requirements  of  this  section  if  it  notifies  subject 
persons  in  accordance  with  its  policies  in  the  event  of  a  breach  of  security  of  the  system. 


(k)  Notwithstanding  the  exception  specified  in  paragraph  (4)  of  subdivision  (b)  of  Section  1798.3,  for  purposes  of  this 
section,  "agency”  includes  a  local  agency,  as  defined  in  subdivision  (a)  of  Section  6252  of  the  Government  Code. 


SEC.  3. 


Title  1.81.23  (commencing  with  Section  1798.90.5)  is  added  to  Part  4  of  Division  3  of  the  Civil  Code,  to  read: 


TITLE  1.81.23.  COLLECTION  OF  LICENSE  PLATE  INFORMATION 


1798.90.5. 

The  following  definitions  shall  apply  for  purposes  of  this  title: 

(a)  "Automated  license  plate  recognition  end-user"  or  "ALPR  end-user"  means  a  person  that  accesses  or  uses  an  ALPR 
system,  but  does  not  include  any  of  the  following: 

(1)  A  transportation  agency  when  subject  to  Section  31490  of  the  Streets  and  Highways  Code. 

(2)  A  person  that  is  subject  to  Sections  6801  to  6809,  inclusive,  of  Title  15  of  the  United  States  Code  and  state  or 
federal  statutes  or  regulations  implementing  those  sections,  if  the  person  is  subject  to  compliance  oversight  by  a  state 
or  federal  regulatory  agency  with  respect  to  those  sections. 

(3)  A  person,  other  than  a  law  enforcement  agency,  to  whom  information  may  be  disclosed  as  a  permissible  use  pursuant  to 
Section  2721  of  Title  18  of  the  United  States  Code. 

(b)  "Automated  license  plate  recognition  information,"  or  "ALPR  information"  means  information  or  data  collected  through 
the  use  of  an  ALPR  system. 

(c)  "Automated  license  plate  recognition  operator"  or  "ALPR  operator"  means  a  person  that  operates  an  ALPR  system,  but 
does  not  include  a  transportation  agency  when  subject  to  Section  31490  of  the  Streets  and  Highways  Code. 

(d)  "Automated  license  plate  recognition  system"  or  "ALPR  system”  means  a  searchable  computerized  database  resulting 
from  the  operation  of  one  or  more  mobile  or  fixed  cameras  combined  with  computer  algorithms  to  read  and  convert  images 
of  registration  plates  and  the  characters  they  contain  into  computer- readable  data. 

(e)  "Person"  means  any  natural  person,  public  agency,  partnership,  firm,  association,  corporation,  limited  liability 
company,  or  other  legal  entity. 

(f)  "Public  agency"  means  the  state,  any  city,  county,  or  city  and  county,  or  any  agency  or  political  subdivision  of  the 
state  or  a  city,  county,  or  city  and  county,  including,  but  not  limited  to,  a  law  enforcement  agency. 


1798.90.51. 


An  ALPR  operator  shall  do  all  of  the  following: 

(a)  Maintain  reasonable  security  procedures  and  practices,  including  operational,  administrative,  technical,  and 
physical  safeguards,  to  protect  ALPR  information  from  unauthorized  access,  destruction,  use,  modification,  or 
disclosure. 

(b)  (1)  Implement  a  usage  and  privacy  policy  in  order  to  ensure  that  the  collection,  use,  maintenance,  sharing,  and 
dissemination  of  ALPR  information  is  consistent  with  respect  for  individuals'  privacy  and  civil  liberties.  The  usage  and 
privacy  policy  shall  be  available  to  the  public  in  writing,  and,  if  the  ALPR  operator  has  an  Internet  Web  site,  the 
usage  and  privacy  policy  shall  be  posted  conspicuously  on  that  Internet  Web  site. 

(2)  The  usage  and  privacy  policy  shall,  at  a  minimum,  include  all  of  the  following: 

(A)  The  authorized  purposes  for  using  the  ALPR  system  and  collecting  ALPR  information. 

(B)  A  description  of  the  job  title  or  other  designation  of  the  employees  and  independent  contractors  who  are  authorized 
to  use  or  access  the  ALPR  system,  or  to  collect  ALPR  information.  The  policy  shall  identify  the  training  requirements 
necessary  for  those  authorized  employees  and  independent  contractors. 

(C)  A  description  of  how  the  ALPR  system  will  be  monitored  to  ensure  the  security  of  the  information  and  compliance  with 
applicable  privacy  laws. 

(D)  The  purposes  of,  process  for,  and  restrictions  on,  the  sale,  sharing,  or  transfer  of  ALPR  information  to  other 
persons . 

(E)  The  title  of  the  official  custodian,  or  owner,  of  the  ALPR  system  responsible  for  implementing  this  section. 

(F)  A  description  of  the  reasonable  measures  that  will  be  used  to  ensure  the  accuracy  of  ALPR  information  and  correct 
data  errors. 

(G)  The  length  of  time  ALPR  information  will  be  retained,  and  the  process  the  ALPR  operator  will  utilize  to  determine  if 
and  when  to  destroy  retained  ALPR  information. 


1798.90.52. 


If  an  ALPR  operator  accesses  or  provides  access  to  ALPR  information,  the  ALPR  operator  shall  do  both  of  the  following: 
(a)  Maintain  a  record  of  that  access.  At  a  minimum,  the  record  shall  include  all  of  the  following: 


(1)  The  date  and  time  the  information  is  accessed. 


(2)  The  license  plate  number  or  other  data  elements  used  to  query  the  ALPR  system. 

(3)  The  username  of  the  person  who  accesses  the  information,  and,  as  applicable,  the  organization  or  entity  with  whom 
the  person  is  affiliated. 

(4)  The  purpose  for  accessing  the  information. 

(b)  Require  that  ALPR  information  only  be  used  for  the  authorized  purposes  described  in  the  usage  and  privacy  policy 
required  by  subdivision  (b)  of  Section  1798.90.51. 


1798.90.53. 


An  ALPR  end-user  shall  do  all  of  the  following: 

(a)  Maintain  reasonable  security  procedures  and  practices,  including  operational,  administrative,  technical,  and 
physical  safeguards,  to  protect  ALPR  information  from  unauthorized  access,  destruction,  use,  modification,  or 
disclosure. 

(b)  (1)  Implement  a  usage  and  privacy  policy  in  order  to  ensure  that  the  access,  use,  sharing,  and  dissemination  of  ALPR 
information  is  consistent  with  respect  for  individuals'  privacy  and  civil  liberties.  The  usage  and  privacy  policy  shall 
be  available  to  the  public  in  writing,  and,  if  the  ALPR  end-user  has  an  Internet  Web  site,  the  usage  and  privacy  policy 
shall  be  posted  conspicuously  on  that  Internet  Web  site. 

(2)  The  usage  and  privacy  policy  shall,  at  a  minimum,  include  all  of  the  following: 

(A)  The  authorized  purposes  for  accessing  and  using  ALPR  information. 

(B)  A  description  of  the  job  title  or  other  designation  of  the  employees  and  independent  contractors  who  are  authorized 
to  access  and  use  ALPR  information.  The  policy  shall  identify  the  training  requirements  necessary  for  those  authorized 
employees  and  independent  contractors. 

(C)  A  description  of  how  the  ALPR  system  will  be  monitored  to  ensure  the  security  of  the  information  accessed  or  used, 
and  compliance  with  all  applicable  privacy  laws  and  a  process  for  periodic  system  audits. 

(D)  The  purposes  of,  process  for,  and  restrictions  on,  the  sale,  sharing,  or  transfer  of  ALPR  information  to  other 
persons . 

(E)  The  title  of  the  official  custodian,  or  owner,  of  the  ALPR  information  responsible  for  implementing  this  section. 

(F)  A  description  of  the  reasonable  measures  that  will  be  used  to  ensure  the  accuracy  of  ALPR  information  and  correct 
data  errors. 

(G)  The  length  of  time  ALPR  information  will  be  retained,  and  the  process  the  ALPR  end-user  will  utilize  to  determine  if 
and  when  to  destroy  retained  ALPR  information. 


1798.90.54. 

(a)  In  addition  to  any  other  sanctions,  penalties,  or  remedies  provided  by  law,  an  individual  who  has  been  harmed  by  a 
violation  of  this  title,  including,  but  not  limited  to,  unauthorized  access  or  use  of  ALPR  information  or  a  breach  of 
security  of  an  ALPR  system,  may  bring  a  civil  action  in  any  court  of  competent  jurisdiction  against  a  person  who 
knowingly  caused  the  harm. 

(b)  The  court  may  award  a  combination  of  any  one  or  more  of  the  following: 

(1)  Actual  damages,  but  not  less  than  liquidated  damages  in  the  amount  of  two  thousand  five  hundred  dollars  ($2,500). 

(2)  Punitive  damages  upon  proof  of  willful  or  reckless  disregard  of  the  law. 

(3)  Reasonable  attorney's  fees  and  other  litigation  costs  reasonably  incurred. 

(4)  Other  preliminary  and  equitable  relief  as  the  court  determines  to  be  appropriate. 


1798.90.55. 


Notwithstanding  any  other  law  or  regulation: 

(a)  A  public  agency  that  operates  or  intends  to  operate  an  ALPR  system  shall  provide  an  opportunity  for  public  comment 
at  a  regularly  scheduled  public  meeting  of  the  governing  body  of  the  public  agency  before  implementing  the  program. 

(b)  A  public  agency  shall  not  sell,  share,  or  transfer  ALPR  information,  except  to  another  public  agency,  and  only  as 
otherwise  permitted  by  law.  For  purposes  of  this  section,  the  provision  of  data  hosting  or  towing  services  shall  not  be 
considered  the  sale,  sharing,  or  transferring  of  ALPR  information. 

SEC.  4. 

(a)  Section  1.1  of  this  bill  incorporates  amendments  to  Section  1798.29  of  the  Civil  Code  proposed  by  both  this  bill 
and  Senate  Bill  570.  It  shall  only  become  operative  if  (1)  both  bills  are  enacted  and  become  effective  on  or  before 
January  1,  2016,  (2)  each  bill  amends  Section  1798.29  of  the  Civil  Code,  (3)  Assembly  Bill  964  is  not  enacted  or  as 
enacted  does  not  amend  that  section,  and  (4)  this  bill  is  enacted  after  Senate  Bill  570,  in  which  case  Sections  1,  1.2, 
and  1.3  of  this  bill  shall  not  become  operative. 

(b)  Section  1.2  of  this  bill  incorporates  amendments  to  Section  1798.29  of  the  Civil  Code  proposed  by  both  this  bill  and 
Assembly  Bill  964.  It  shall  only  become  operative  if  (1)  both  bills  are  enacted  and  become  effective  on  or  before 


January  1,  2016,  (2)  each  bill  amends  Section  1798.29  of  the  Civil  Code,  (3)  Senate  Bill  570  is  not  enacted  or  as 
enacted  does  not  amend  that  section,  and  (4)  this  bill  is  enacted  after  Assembly  Bill  964,  in  which  case  Sections  1, 

1.1,  and  1.3  of  this  bill  shall  not  become  operative. 

(c)  Section  1.3  of  this  bill  incorporates  amendments  to  Section  1798.29  of  the  Civil  Code  proposed  by  this  bill,  Senate 
Bill  570,  and  Assembly  Bill  964.  It  shall  only  become  operative  if  (1)  all  three  bills  are  enacted  and  become  effective 
on  or  before  January  1,  2016,  (2)  all  three  bills  amend  Section  1798.29  of  the  Civil  Code,  and  (3)  this  bill  is  enacted 
after  Senate  Bill  570  and  Assembly  Bill  964,  in  which  case  Sections  1,  1.1,  and  1.2  of  this  bill  shall  not  become 
operative. 

SEC.  5. 

(a)  Section  2.1  of  this  bill  incorporates  amendments  to  Section  1798.82  of  the  Civil  Code  proposed  by  both  this  bill 
and  Senate  Bill  570.  It  shall  only  become  operative  if  (1)  both  bills  are  enacted  and  become  effective  on  or  before 
January  1,  2016,  (2)  each  bill  amends  Section  1798.82  of  the  Civil  Code,  (3)  Assembly  Bill  964  is  not  enacted  or  as 
enacted  does  not  amend  that  section,  and  (4)  this  bill  is  enacted  after  Senate  Bill  570,  in  which  case  Sections  2,  2.2, 
and  2.3  of  this  bill  shall  not  become  operative. 

(b)  Section  2.2  of  this  bill  incorporates  amendments  to  Section  1798.82  of  the  Civil  Code  proposed  by  both  this  bill  and 
Assembly  Bill  964.  It  shall  only  become  operative  if  (1)  both  bills  are  enacted  and  become  effective  on  or  before 
January  1,  2016,  (2)  each  bill  amends  Section  1798.82  of  the  Civil  Code,  (3)  Senate  Bill  570  is  not  enacted  or  as 
enacted  does  not  amend  that  section,  and  (4)  this  bill  is  enacted  after  Assembly  Bill  964,  in  which  case  Sections  2, 

2.1,  and  2.3  of  this  bill  shall  not  become  operative. 

(c)  Section  2.3  of  this  bill  incorporates  amendments  to  Section  1798.82  of  the  Civil  Code  proposed  by  this  bill,  Senate 
Bill  570,  and  Assembly  Bill  964.  It  shall  only  become  operative  if  (1)  all  three  bills  are  enacted  and  become  effective 
on  or  before  January  1,  2016,  (2)  all  three  bills  amend  Section  1798.82  of  the  Civil  Code,  and  (3)  this  bill  is  enacted 
after  Senate  Bill  570  and  Assembly  Bill  964,  in  which  case  Sections  2,  2.1,  and  2.2  of  this  bill  shall  not  become 
operative. 


Sergeant  John  Gaw 

LASD  /  Technology  and  Support  Division  (TSD) 

Communications  and  Fleet  Management  Bureau  (CFMB) 

Advanced  Surveillance  and  Protection  Unit  (ASAP) 

12440  East  Imperial  Highway,  #130 

Norwalk,  CA  90650 

(562)  345-4476  /  Office 

(562)  774-7976  /  Cell 

(323)  415-4876  /  FAX 

i IgawOlasd .ora  cmailto : i IgawOlasd . org> 

http : //www. youtube . com/user/LACountvSherif f  <http : //www. youtube . com/user/LACountvSherif f> 


image001.gif- 


iHj 


Attachments-63/Part  1.1.2 
Attachments-63/imageOO  1  .gif 


